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Abstract. This paper presents a range of quantitative extensions for the temporal logic 
CTL. We enhance temporal modalities with the ability to constrain the number of states 
satisfying certain sub-formulas along paths. By selecting the combinations of Boolean and 
arithmetic operations allowed in constraints, one obtains several distinct logics generalizing 
CTL. We provide a thorough analysis of their expressiveness and succinctness, and of the 
complexity of their model-checking and satisfiability problems (ranging from P-complete to 
undecidable) . Finally, we present two alternative logics with similar features and provide 
a comparative study of the properties of both variants. 



1. Introduction 

Among the existing approaches to the formal verification of automated systems, model 
checking [CE81, QS82] aims at automatically establishing the validity of a certain formal 



specification (modeled as a formula in a suitable logic) over the system under study (modeled 
for instance as a finite transition system). This set of techniques is now well established 
and successful, with several industrial applications. 

To formalize the specification of temporal properties, for instance in the case of reactive 
systems, temporal logics (TL) were proposed thirty years ago |Pnu77| and widely studied 
since. They are today used in many model-checking tools. There exists a wide variety of 
temporal logics, differing for instance by the models over which formulas are interpreted 
or by the kind of available temporal modalities. Two well-known examples are LTL in 
the linear-time framework (where formulas are interpreted over infinite runs) and CTL for 
the branching-time case (where formulas are interpreted over states of Kripke structures). 
Sec [Emc90j for a survey of classical temporal logics for systems specification. 
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Temporal logics have been extended in various ways in order to increase their expressive 
power. For example, while LTL and CTL only handle future operators, it is also possible to 
consider past-time modalities to express properties of the past of a run. One can also extend 
temporal logics with regular expressions (see for instance |Wol83lfET97j ). Other extensions 
were proposed to handle quantitative aspects of systems. For example, some logics can con- 
tain timing constraints to specify that an event, say P±, has to occur less than 10 time units 
before another event Pi. This kind of temporal logics, such as TCTL [ACD931 [EMSS92J, 
have been particularly studied in the framework of timed model checking. Another quan- 
titative extension consists in probabilistic logics where one can specify probability bounds 
over the truth of some property (see for instance [BdA95j). 

We propose several extensions of CTL with constraints over the number of states sat- 
isfying certain sub-formulas along runs. For example, considering a model for an ATM, we 
can express the property "whenever the PIN is locked, at least three erroneous attempts 
have been made" by: -iEF[jj error < 2 ]lock (one cannot reach a state where the PIN is locked 
but less than two errors have occurred). Similarly, -iEF[jj error >3]money states that three 
mistakes forbid cash retrieval. We put a subscript on the temporal modality (as in TCTL) 
to constrain the runs over which the modality holds. Note that most properties of this kind 
can also be expressed in CTL by nesting E_U_ modalities, but the resulting formulas may 
be too large to be conveniently handled by the user of a model checker. This is discussed 
in more detail in Section [3j where we study the expressiveness of each of our fragments 
compared to CTL. In some cases, there exist natural translations into equivalent CTL for- 
mulas, implying that there is no strict gain in expressiveness. However, these translations 
are often at best exponentially larger than the original formula. In other cases, we show 
that our extensions strictly increases the expressive power of CTL. 

We consider the model checking problem for various sets C of constraints. We show 
that polynomial-time algorithms exist when considering Until modalities with constraints of 



combinations of such constraints or integer coefficients in the sum (or both) makes model 
checking A^-complete. We also consider the case of "diagonal" constraints (§tp— ftVO ~ c and 
their more general form (J^i ±)JVi) ~ c with c £ Z and show that model checking can still be 
done in polynomial time. However, allowing Boolean combinations of such constraints leads 
to undecidability. We also investigate the complexity of the satisfiability problem, which 
is 2-EXPTIME-complete for all fragments without subtraction and undecidable otherwise. 
Finally, in order to investigate alternative definitions of counting logics generalizing CTL, 
we define another semantics for our logics (called cumulative semantics) and a logic with 
explicit variables. In both cases, we show that it induces a complexity blow-up for model 
checking, which becomes PSPACE-complete without subtraction and undecidable otherwise. 
The asymptotic complexity of satisfiability remains however 2-EXPTIME-complete in all 
decidable cases. 

Several existing works provide related results. In [LMPlOaJ, we presented a prelimi- 
nary version of the current article. Proofs and constructions were since considerably re- 
fined, and are provided here in greater detail. This paper also provides new satisfiability 
results. In [LMPlObJ, we provided a similar study of counting extensions of LTL and CTL*. 
In [ET97J, an extension of LTL with a kind of regular expressions containing quantitative 
constraints over the number of occurrences of sub-expressions is presented. This extension 

^Unless stated otherwise, complexity results always assume a binary encoding of constants. 
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yields algorithms whose time complexity is exponential in the size of formulas and the value 
of integer constants. In [ET99J, extensions of CTL including parameters in constraints 
are defined. One of these formalisms, namely GPCTL, allows one to express properties 
with constraints defined as positive Boolean combinations of sums of the form J2i Pi — c 
where every Pj is an atomic proposition. Model-checking E_U_ formulas with such a con- 
straint is shown to be NP-complete and a polynomial algorithm is given for a restricted 
logic (with parameters). Another interesting specification language is Sugar /PSL |ps!03| , 
which defines many additional operators above LTL and CTL*. These include in particular 
a kind of counting constraints used together with regular expressions, but to our knowl- 
edge, there is no accurate study of lower complexity bounds for these extensions [BFH05J. 
In [YMW97], a branching-time temporal logic with general counting constraints (using a 
variant of freeze variables) is defined to specify event-driven real-time systems. To obtain 
decidability, the authors restrict their analysis to systems verifying some bounded progress 
condition. In [BEH95a, BEH95b], extensions of LTL and CTL with Presburger constraints 
over the number of states satisfying a formula are considered, for a class of infinite state 
processes. The complexity of these problems is much higher than the cases we are concerned 
with. Finally there also exist timed extensions of CTL interpreted over Kripke structures 
(see for instance [EMSS92j ). 

The paper is organized as follows. In Section [21 we introduce the definitions of the 
main formalisms we will use. In Section [3l we show that several of our proposed extensions 
are not more expressive than classical CTL, yet exponentially more succinct. In Section SI 
we address the model-checking problem and provide exact complexity results for almost all 
the logics we introduce. In Section [S] we study the complexity of the satisfiability problem. 
Finally we present in Section [U] a different logic with explicit counting variables, as well as 
an alternative semantics for our logics, together with the complexity of the related model- 
checking problems. 

2. Definitions 

2.1. Models. Let AP be a set of atomic propositions. In branching-time temporal logics, 
formulas are generally interpreted over states of Kripke structures. 

Definition 2.1. A Kripke structure (or KS) S is a tuple (Q,R,£) where Q is a finite set 
of states, R C Q x Q is a total! transition relation and £ : Q — > 2 AP is a labelling of states 
with atomic propositions. 

A run p of S is an infinite sequence of states qoqiq2 ■ ■ ■ such that (%, qi+i) € R for every 
i. We use p(i) to denote state p\. to denote the prefix qo - ■ ■ q% of p, and e to represent 
the empty prefix. Notice that p\_ ± = e, but pi Q = qo ^ e. Runs(g) denotes the set of runs 
starting from some state q € Q and Runs(<S) (resp. Prefs(<S)) the set of all runs (resp. finite 
prefixes of runs) in S. The length \a\ of a finite run prefix a is defined as usual (i.e. |cr| = 
if a = e and |<r| = i + 1 if a = qo ■ ■ ■ qi)- Note in particular that for any run p, \pi. \ = i + 1. 
We write a < p when a is a prefix of p. 

We will also consider durational Kripke structures (DKS), where an integer duration is 
associated with every transition. A DKS S = {Q,R,£) is defined similarly to a KS, except 
that R C Q x 7L x Q. The duration of a transition is also called a weight or a cost, especially 

2 By total relation, we mean a relation R C Q x Q such that Vp € Q, 3q G Q, (p, q) G R. 
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when negative values are used to label a transition. We use DKS to denote the class of 
DKS in which every weig ht is 1, DKS 0/1 when the weights belong to {0, 1}, and DKS ' ' 
when they belong to {—1, 0, 1}. The notion of weight is additively extended to finite runs of 
DKS. The existence of a transition of weight k between states p and q is sometimes denoted 

as p q, that of a finite run of weight k as p =^4> q. R may be omitted when it is clear 
from the context. The weight of a finite run p is also denoted as ||p||. 



2.2. Counting CTL. We define several extensions of CTL able to express constraints over 
the number of times certain sub-formulas are satisfied along a run. 

Definition 2.2. Given a set of atomic propositions AP, we define the logic CCTL as the 
set of formulas 

ip,tp ::= P | ip A ip | -tip | E<^U[c]Y> | AipU^ip 
where P G AP and C is a constraint of the form 

m 

C ::= C^oti ■ ft^j) ~ k 
i=l 

where ipi G CCTL, aj, k G N and ~ £ {<, < 5 =, > ; >}. 

We make use of the standard abbreviations V, =>, ^=>, _L, T, as well as the additional 
modalities EF^ip = ETUpjy, AF^ip = ATU[(7]<£>, and their duals AG[c]<P = -, EF[ C <]-ic^ 
and EG[c]</? = ->AF\c]-i<p. Any formula occurring in a constraint C associated with a 
modality in $ is considered a sub- formula of <£. The size |<J>| of $ thus takes into account 
the size of these constraints and their sub- formulas, assuming that integer constants are 
encoded in binary (unless explicitly stated otherwise). The DAG-size of $ is the number 
of distinct sub- formulas of <E>. As model-checking algorithms may be implemented in such 
a way that the truth value of each sub-formula is computed only once, for instance using 
dynamic programming, this is generally more relevant to the complexity of model-checking. 

We also introduce several variants and extensions of CCTL: 

• CCTLi is the restriction of CCTL where every coefficient «j occurring in the con- 
straints is equal to 1. Thus the constraints are of the form ttVi) ~ F° r 
example, EF[(jp + jjp/ =10 ]-P" belongs to CCTLi. 

• CCTL-t is an extension of CCTL where coefficients ati are in Z. The formula 
F.F [iP _ Hpi=10] P" belongs to CCTL ± . 

• CCTL A extends CCTL by allowing Boolean combinations in the constraints. For 
example, EF [tt p <4At ,p, >8 ] is in CCTL A . 

We can combine the previous variants and define the logics CCTL±i, CCTL A i, CCTL A ± 
and CCTL A ±i. The semantics of our logics are defined over Kripke structures as follows: 

Definition 2.3. The following clauses define the conditions for a state q of some KS S = 
(Q, R, £} to satisfy a formula (p (written q \=$ ip) by induction over the structure of ip : 

q^ S P iff P G £{q) 

q Ks ^ iff q\^s 

qhs ip iff q Ks <p ° r q Ks fp 

q ^ s E^U [C] V ^ 3p G Runs(qr), p \= S ^[C\i> 
q ^ s Aip\J [c] ip iff Vp G Runs(g), p \= s ipU [C] ip 
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where p ^ 5 p>\J[c]ip iff 3i > 0, p(i) ^ s i>, P\i-i C and V0 < j < i, p(j) \= s (p. 

For every finite run prefix a = go ■ ■ ■ Qii the meaning of a \=s C is based on the 
interpretation of §<p over a, which is the number of states among qo,...,qi verifying ip, 
denoted by \a\ v and defined as: \a\ v = \{j\0<j<iA a (J) (=5 tp}\. Given these values, 
C is evaluated as an ordinary equation or inequation over integer expressions. 

In the following we omit the subscript S for |= when no confusion occurs. We use = to 
denote the standard equivalence between formulas. 

Remark 2.4. It can be derived from the above definitions that formula EF^p holds 
from q if and only if there is a run p from q and an index i such that p(i) \= p and 
Ph—l\ \= C. Similarly, EG[c]P holds if and only if there exists a run p such that, whenever 
a finite prefix of p satisfies C, the next state must satisfy ip (in other words, for all i > 0, 
PU^hC => p{i) H <p). 

Remark 2.5. The above semantics imply that the truth value of a constraint only depends 
on the strict prefix of the run leading to (but not including) the current state. This is 
not an essential feature, and another definition would also be valid. However, this choice is 
consistent with the semantics of existing logics (in particular TCTL [ACD93]). It also allows 
us to express the classical X (or next) operator as EXp = EFm-j=i]<P- Moreover, under this 
semantics the formulas EipUip, ETU[jj^ =0 ]^ and EF[j^ =0 ]^ are all equivalent. 

Remark 2.6. In all logics allowing Boolean connectives inside constraints, the modality F 
is sufficient to define U. Indeed, Epli^c]^ = ^[CAM-^tp)=o]' l P (and similarly for A-quantified 
formulas). Thus every such logic can also be built from atomic propositions using Boolean 
operators and modalities EFpjyj and AFr^-iy (or EGrcj^). Note that all these translations 
are succinct (linear in the size of formulas) and thus do not have any impact on complexity 
results. 

Remark 2.7. The related temporal logic TCTL, whose semantics is defined over timed 
models (in particular durational Kripke structures), allows one to label temporal modalities 
with duration constraints. For instance, one may write ApU^ip to express the fact that p 
is consistently true until, before k time units have elapsed, ip eventually holds. 

When all transitions in a DKS have duration 1 (i.e. the duration of any run is equal 
to its length), TCTL (or RTCTL in [EMSS92J) formulas can be directly expressed in any 
variant of CCTL using only the sub-formula T inside constraints. A similar coding is also 
possible when one uses a proposition tick to mark the elapse of time as in [LBT03J. 

2.3. Examples of CCTL formulas. We now give several examples of natural quantitative 
properties that can be easily expressed with CCTL-like logics. 

(1) First consider an engine or plant that has to be controlled every 10000 cycles. 
Suppose a warning is activated whenever the number of elapsed cycles since the 
last control belongs to the interval [9900; 9950], and is maintained until the next 
control is done. Moreover, an alarm is raised when the number of cycles is above 
10100 (unless a control was performed in-between) and is maintained until the next 
control. Such a specification could be expressed in CCTL as follows: 
(a) Either a control or a warning must occur in every period of 9950 cycles: 

AG (AF [ttcycle < 9950] (control V warning)) 
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where cycle (resp. warning, control) labels states corresponding to the end 
of a cycle (resp. a warning, a control action). 

(b) A warning cannot occur before 9900 cycles after a control: 

AG (control =>• ^EF [ttcycle<9900 ] warning). 

(c) A control or an alarm occurs in every period of 10100 cycles: 

AG (AF[jj cycle < 10100] (control V warning)). 

(d) An alarm cannot occur strictly before 10100 cycles after a control: 

AG (control => ^EF [acycle<10100] alarm). 

(e) The warning and the alarm are maintained: 

AG(warning A warning U (alarm V control)) 

and 

AG(alarm => A alarm W control) . 

Note that we use a weak Until modality in the latter formula because we cannot 
ensure the occurrence of a control. 

(2) Consider a model for an ATM, whose atomic propositions include money, reset and 
error, with the obvious meaning. To specify that it is not possible to get money 
after three mistakes were made in the same session (i.e. with no intermediate reset), 
we can use the CCTL A i formula 

AG (-'EF[ t)error > 3At j reset=0 ]money) , 

or the CCTLi formula 

AG(^E(^reset)U [t | error >3]money). 

(3) Consider a mutual exclusion algorithm with n processes trying to reach their critical 
section (CS). We can express a bounded waiting property with bound 10 (i.e. when 
a process P tries to reach its CS, then at most 10 other processes can reach theirs 
before P does) by the CCTL A i formula 

AG f\ (request^ -EF E .^ BCS . >10ABCS . =0] T). 

ie[l,n] 

As in the previous case, this can also be expressed in CCTLi using U instead of F. 

(4) In a model for a communicating system with events for the emission and reception 
of messages, the CCTLAi formula AG^ sen( j— jj re ceive<o] 

_L states that along any finite 
run, the number of receive events cannot exceed the number of send events. 

(5) Quantitative constraints can also be useful for fairness properties. For example 
the CCTL A i formula AGAFja 5< jj ¥ ,. <1 q]T states that each <pi occurs infinitely often 

along every run (as does the CTL formula A* (AG AF (fi)) but also ensures some 
constraint on the number of states satisfying formulas ipi along every execution: for 
example, it is not possible to have a sub-run where <pi holds in 11 states and <£>2 in 
only 4 states. 
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(6) Note that CCTL-t can express properties about the ratio between the number of 
occurrences of two kinds of states along a run. For example, EF[ 10 o-tterror-t|T<o]-P is 
true when there is a run leading to some state satisfying P along which the rate of 
error states is less than 1 percent. In fact any constraint of the form jpr ~ k can 
be expressed in this logic. 

(7) Finally note that we can use any temporal formula inside a constraint (and not only 
atomic propositions). For example, AG(EF[^ E x a i arm )<5]init) states that it is always 
possible to reach init with a path along which at most 5 states have a successor 
satisfying alarm. 

Note that expressing these properties is rather straightforward using counting con- 
straints. When considering a classical temporal logic, such properties cannot easily be 
expressed directly. Unfolding the formula as it is done in the next section to prove expres- 
siveness results cannot be achieved in practice even when the integer constraints are small: 
the formula would most of the time become too long and too complex to be handled. A 
possible pragmatic solution to avoiding counting constraints would be to add one or several 
counters to the model and to use additional atomic propositions to mark states (or rather, 
in such an extended model, configurations) where the constraints over the values of counters 
are satisfied. First note that this method may be less convenient or even inapplicable in 
some cases, as it requires modifying the model under verification. Moreover, this approach is 
difficult to use when counting constraints do not only refer to atomic propositions, but deal 
with nested temporal logic formulas (as in the last example above) or even other counting 
properties, as this would require even more drastic modifications to the model. 

These examples illustrate the ability of our logics to state properties over the portion 
of a run leading to some state. A similar kind of properties could also be expressed with 
past-time modalities (like § or F _1 ), but unlike these modalities our constraints cannot 
easily describe the ordering of events in the past: they "only" allow to count the number of 
occurrences of formulas. We will see in the next sections that our extensions do not always 
induce a complexity blow-up, while model-checking CTL + F _1 is known to be PSPACE- 
complete [LSOOj . 

3. Expressiveness and succinctness 

When comparing two logics, the first question which comes to mind is the range of properties 
they can be used to define, in other words their expressiveness. When they turn out to be 
equally expressive, a natural way to distinguish them is then to ask how concisely each 
logic can express a given property. This is referred to as succinctness, and is also relevant 
when studying the complexity of model-checking for instance, since it may considerably 
influence the size of a formula required to express a given property, hence the time required 
to model-check it. In this section we study the expressiveness of the various logics defined in 
the previous section, and provide results and comments about their respective succinctness 
with respect to CTL. 

3.1. Expressiveness. We first show that only allowing Boolean combinations does not 
allow our logics to express more properties than CTL. 

Proposition 3.1. Any CCTL^ formula <3? can be translated into an equivalent CTL formula 
of D AG-size 2°^. 



8 



F. LAROUSSINIE, A. MEYER, AND E. PETONNET 



Proof. A naive translation, using nested E_U_ and A_U_ modalities to precisely count the 
number of times each subformula inside a constraint is satisfied, is sufficient to show the 
result. However the size of a translated formula would in general be exponential in the 
value of all integer constants and in the DAG size of the original formula. We thus propose 
a more concise (yet more involved) translation, whose size will be useful later on. 

Let $ be a CCTL A formula. The proof is done by structural induction over The 
basic and Boolean cases are direct. By Remark 12. 6\ we only need to consider the cases 
$ = EF and = AF^(p. Assume C contains m atomic constraints of the form 

(X)j'e[l,ni] a% jt i P i j) ~ f° r * £ [1j m ]- We translate <I> to CTL by building a family of formulas 
whose intended meaning is as follows: 

• If constraint C holds with jjy?'- = for all j, i, then ip may be true immediately. 

• Otherwise, successively check for every j, i whether holds in the current state, 
and if so then update C by decreasing the constant ki by ofy. 

• Once all have been scanned, proceed to the next state and re-evaluate C for the 
new values of the constants. 

Let decr(C, i,j) denote the constraint obtained from C by replacing ki by fcj — a*- . Note that 
in contrast with the formal definition of CCTL A constraints, we allow the deer operation to 
result in negative constants in the right-hand sides of atomic constraints. 

Let _L and T be two special constraints satisfied by no (resp. any) finite path in any 
Kripke structure, we also define the constraint (Tj. obtained from C by replacing any trivially 
true atomic constraint (such as S > or S > —3) by T and any trivially false one (such 
as S < or S < — 1) by _L, and normalizing the obtained constraint in the usual way 
(CV_L — > C, ...). Note that due to this simplification step, Cj, is either reduced to T or 
_L, or it does not contain T or 1 as a sub-formula. Also note that C and Cj, are equivalent 
(i.e. satisfied by the same finite runs). 

We now turn to the formal CTL translation [$] of formula <3?, which is defined induc- 
tively on the structure of <!>. Boolean combinations and negation are left unchanged. In the 
case where = EF^y?, we proceed by unfolding the EF modality as follows: 

r ± tfc x = ± 

j EFJ^J ifC+ = T 

[EF [C] ^]= E (A ij -m)U(Mv*) ife^C 
( E(A„ :^:)U* ife^C 

where ^ is a CTL formula designed to be true in states where both EFrpiy? and at least one 
formula (fj hold. Indeed if C is trivially false, then EFpjv? is clearly not satisfiable. If C is 
trivially true, it is sufficient to check that <p eventually holds without any further checks on 
sub- formulas The third case states that if C holds on the empty path then EFpj^J holds 
if, after a path prefix not affecting the satisfaction of C, either <p holds or some 92*- holds 
and we need to update C again. The last case is identical except that it does not check 
for (p in the current state. It then only remains to define ^. More generally, we describe a 
family of CTL formulas ^CijC't where i E [l,m], j G with m and n% as above, and 

C, C are CCTL A constraints. For all 1 < % < m, 1 < j < rii, let 

*C,ij,C = (Hi A y C ,i,j+l,decr{C>,i,j)) V (^Hl A *C,ij+l,C')- (3-1) 
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For all 1 < i < m, 

*C,i,ni+l,C" = ^C,i+l,l,C- (3-2) 

Finally 

M if C = C, 

*C,m,n m+ X,C< = | E X[EF [(7 ^J otherwise. (3 " 3) 

We then set to denote ^c,x,x,C- Formula ^c,i,j,C implicitly assumes that, in the current 
state, a certain (potentially empty) subset of the formulas ip\ up to (but not including) 
ip'j holds, and that C is the constraint obtained by updating C with respect to these 
formulas. Then, it evaluates (the CTL translation of) formula ip'j, updating C if necessary 
and moving on to the next sub-formula (Eq. (|3.1|) ). Whenever the scanning of sub- formulas 
{<p\, relevant to the i-th. atomic constraint is finished, we proceed with the next one 

(Eq. (|3.2p ). Finally, once all sub- formulas have been scanned and the constraint updated 
(Eq. (|3.3p ). if no progress was made at all (witnessed by the fact that C = C"), the formula 
is simply deemed false. Otherwise we move to the next state along a possible run using 
modality EX, and develop the translation of formula EF^/jc/? with the last updated C . 

The above recursive definition characterizes finite formulas. Indeed, consider a formula 
[EF[^]</'] occurring as a sub-formula of [EF^jy?], and / the injection mapping each right- 
hand-side constant k' in C to the corresponding constant in C. By definition, we have 
f(k') < k' for every k' in C, and either / is not surjective (meaning that some constant 
k in C no longer appears in C due to the simplification step in Eq. fj3.3[) above) or there 
exists k! such that f(k') < k! . This is guaranteed by the fact that developing ^c,x,x,c 
according to its definition into a formula containing [EF^jf/?] resorts to at least one deer 
operation followed by a simplification operation. Since any negative constant appearing 
after a decrement is eliminated by the next simplification step, this process cannot repeat 
indefinitely and must therefore terminate. 

The translation of AF<Q](p is obtained by replacing each occurrence of the path quantifier 
E by A in the above. The correctness of the translation can be shown by induction on the 
nesting depth of until modalities in [<&] and quantities m and rij. 

We now turn to the worst-case DAG-size of the translation of the whole CCTL formula 
<]?. Let K be the largest integer constant in 3>, M the maximal number of atomic constraints 
in any constraint in $ and iV the maximal number of counting expressions in any atomic 
constraint in <3?. The number of distinct ^c,i,j,C" formulas involved in the translation of any 
sub-formula EF^p or AF^tp of is bounded by K M ■ M ■ N ■ K . This construction is 
repeated as many times as there are temporal modalities in which amounts to at most 
1$! • K AI ■ M ■ N ■ K AI distinct sub- formulas (this pessimistic upper bound clearly covers 
the case of Boolean connectives, whose translation is much simpler). Since M,N € 0(1$!) 
and K G 0(2^), we get a total DAG-size for [*] in 0(|$| • (2^)^ ■ |$| • |$| • (2^)^) = 
0(|<D| 3 .2 2 I*I 2 ) C 2°(^ 2 \ □ 

Example 3.2. For any integer k and formula ip, we look at the translation of <3?fc = EFr^i*/? 
where Ck denotes the constraint Jtpi + $P2 = k and (p is any formula: 



[**] = < I* , . (3-4) 

f\i lUWfc otherwise 



10 



F. LAROUSSINIE, A. MEYER, AND E. PETONNET 



with V k = ( Pl A ((p 2 A EX[($ fc _ 2 )J) V (-p 2 A EX[($ fc _i)J))) 

vC-npiA^AEXpfc-OJ), 

where (^fc)^ = if /c > and _L otherwise. Note that some simplifications were performed 
in this translation: namely, (</> V ^o) is replaced by in the first case of Eq. (|3.4p since 
^0 = -L) an d a conjunct containing _L is removed from 

Note that we provided a parametric upper bound for the above translation which can 
be interpreted for all variants of CCTL below CCTL A . In contrast to this result, introducing 
subtractions in constraints yields a strict increase in expressiveness. 

Proposition 3.3. The CCTL±\ formula ip = AG^^_^ <0 j _L cannot be translated into CTL. 

(sketch). Formula ip (already seen in Sec. 12.31 with different atomic propositions) states 
that the number of i?-labeled states cannot exceed the number of A-labeled states along 
any path. As shown by [BVW94J and also presented in [W il99j . the set of models of any 
CTL formula can be recognized by a finite alternating tree automaton. Suppose there exists 
a CTL formula <p' equivalent to <p, and let A be the alternating tree automaton accepting 
its set of models. From A, one can easily build a finite alternating automaton on words 
over 2^ A ' B } , whose accepted language is the set of all finite prefixes of branches in models 
of <p, namely words whose prefixes contain at most as many B's as j4's. Since this language 
is clearly not regular, this leads to a contradiction. □ 

3.2. Succinctness. Our extensions of CTL come with three main potential sources of 
concision, which appear to be orthogonal: the encoding of constants in binary, the possibility 
to use Boolean combinations in constraints, and the use of sums. However, only the first 
two turn out to yield an exponential improvement in succinctness. First we consider the 
case of sums: 

Proposition 3.4. For every formula <1> € CCTL with unary encoding of integers, there 
exists an equivalent CTL formula of DAG- size polynomial in |<3?|. 

Proof. This proposition is a direct consequence of the DAG-size computation presented in 
the proof of Prop. 13.11 where M, the number of atomic constraints in a constraint in <£, is 
set to 1 to reflect the absence of Boolean connectives inside constraints, and where K, the 
maximal constant in <£, is bounded by |<3?| due to the unary encoding. □ 

We now look at the succinctness gap due to the binary encoding of constants^: 

Proposition 3.5. CCTL\ can be exponentially more succinct than CTL. 

Proof. In [LST03] . it is shown that the logic TCTL, when interpreted over Kripke structures 
with a special atomic proposition tick used to mark the elapsing of time, can be exponen- 
tially more succinct than CTL0. More precisely, the TCTL formulas EF <ra ^4 and EF >n A, 
which are of size 0(log(n)) since n is encoded in binary, do not admit any equivalent CTL 
formula of temporal height (and hence also size) less than n. These formulas express the 
existence of a path where A eventually holds and less (resp. more) than n clock ticks are 

Note that for real-time logics, it is already known that the binary encoding of integer constants induces 
a complexity blow-up for the decision procedures AH93, AH94 . 

4 This was also observed in KMSS92 for the logic RTCTL over DKS 1 . 
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seen until then. They are respectively equivalent to the 0(log(n))-size CCTLi formulas 
EF[$ tick<n ]A and EFp id(>n ]A □ 

Note that the proof of the previous proposition only uses the simplest kind of constraint: 
we do not need sums (and coefficients) or Boolean combinations in the constraints. 

This exhibits a first aspect in which CCTL logics can be exponentially more succinct 
than CTL. However, as expressed in the next proposition, another orthogonal feature of the 
logic may yield a similar blow-up. 

Proposition 3.6. CCTL^i with unary encoding of integers can be exponentially more suc- 
cinct than CTL. 

Proof. It was shown by [Wil99[ IAI03| that any CTL formula ip equivalent to the CTL + 
formula ip = E(FPo A ... A FP n ) must be of length exponential in n. It turns out tp is 
equivalent to the CCTL A i formula tp' = EFjyy .jp^ijT, which entails the result. Note that 

ip' only contains the constant 1, which means that this gap cannot be imputed to the binary 
encoding. □ 

The intuitive reason for this blow-up is that a CTL formula expressing the property 
that atomic propositions Pi to P n are each seen at least once along a path would have to 
keep track of all possible interleavings of occurrences of Pi's. 

To summarize, we showed that two different aspects of the extensions of CTL presented 
in this paper, while not increasing the overall expressiveness of the logic, may yield exponen- 
tial improvements in succinctness. It would remain to study the succinctness of remaining 
CCTL fragments with respect to each other, in particular when these aspects are combined. 



4. Model checking 



4.1. Polynomial-time model-checking. Even though, as we discussed in the previous 
section, diagonal constraints lead to strictly more expressive logics than CTL, it turns 
out that model-checking CCTL±i is asymptotically not more difficult than model checking 
CTL itself. As a preliminary result of independent interest, we show that the existence 
of a polynomial-time algorithm for the model-checking of the logic TCTL over DKS 0/1 , as 
shown in }LST03j . remains true when considering more general weighted graphs, namely 
DKS's with weights in {—1,0,1}. This result will be used to establish the complexity of 
model-checking for CCTL-ti, and as a corollary also for all weaker fragments. 

Proposition 4.1. The model- checking problem for TCTL over DKS- 1/0/1 is P-complete. 

P-hardness is inherited from CTL (see [Sch03] for a proof of the P-hardness of CTL). 
For membership in P, we consider a DKS S = (Q,R,£) with R C Q x {—1,0,1} x Q, a 
state q S Q and a TCTL formula and show that deciding whether q \= $ can be done 
in polynomial time. As usual, we inductively assume the set of states satisfying all strict 
sub-formulas of <3? to be known, and proceed from there. We distinguish several cases: 

(1) <3? = E(/9U<fcV>: We first determine the subset of states Q\E^Ui> from which the 
CTL formula Eiplitp holds, and consider the restriction S' of S to Q|e</?uv> i n which 
outgoing edges of states labeled by ip A -192 are removed. <3? holds over some state 
q in S if and only if q E Q\e<pU4> an d there exists a path of weight at most k in S' 
from q to some other state q' where ip holds. Considered paths are either simple, 
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or composed of a prefix from q to some state q" , a negative-weight cycle from q" to 
itself repeated a certain number of times, and a suffix from q" to q'. 

Even though finding a simple path of weight less than k in a graph containing 
negative cycles is NP-complete, this is not exactly what we are considering since 
we allow paths containing repeated states. Our problem can thus be tested in 
polynomial time using the classical Floyd- Warshall algorithm (to compute all-pairs 
shortest paths) over S'. The matrix (a) q q i of shortest-path weights computed by 
this algorithm gives us sufficient information: to decide whether a state q satisfies 
<£: q \= one simply need to check whether there exists q' satisfying tp such that 
either a qA i < k, or there exists q" such that a q , q " < oo, cy < and ay j(? ' < oo. 

& = E(/?U We build the DKS S' as in the previous case, and a new DKS S" 
isomorphic to S' but with opposite weights. Then, <1> is satisfied from q in S' (and 
thus also S) if and only if the formula E<^U<_fc^ is satisfied from q in S". 

= Eip\J=kip- We build the DKS S' as in case[H and compute the relation 

Rk = {(<?,</) £ Q\<pAEtp\jip x QIe^u^ I q==>q'}- 

For k = 0, i?o can be seen as Ui>0^ with: 
X = (A)* 

-ft 

-Xt+1 =^iU (Xj • — > 'Xi ■ — > -Xi) U (Xj • — > -Xi ■ — ► -Xi) 
R R R R 

which can be obtained by a simple fixed-point computation requiring at most |Q| 2 

iterations (since \Rq\ < \Q\ 2 )- For k = 1, we simply have R\ = Rq ■ — >-Ro- For 

R 

greater values of k, we use dichotomy to express this relation in terms of Rq and R\ 
in 0(log(/c)) steps (i.e. 0(|<3?|), since k is encoded in binary), by writing 

Rk = R[k/2\ ■ R\k/2\ ■ 

Each of these relational compositions requires time at most cubic in the size of Q. 
It then suffices to test whether (q, q') € Rk for some q' verifying ip. 

<1> = Aip\J = Q^>: The procedure consists in defining a standard Kripke structure S' 
and a classical CTL formula \I/ such that S' satisfies ^ if and only if S does not 
satisfy <3>. 

Using fixed-point computations over Q x Q, we compute the relations Rq and 
Rq as the respective least solutions of 

X = f X = (A)* 

it n I it 

and < 

X i+1 = X U (^ • -A) X i+1 = Xi U (A -Xi • 

R R { R R 

Rq and Rq respectively express the reachability relation in S along paths of weight 
with no prefix of strictly negative (resp. positive) weight. We also define the 
relation Rq (where s stands for strict) as: 

R s = A U (J* -itf" A) U -i? • 

which expresses reachability in <S by 0-weight paths such that no intermediate state 
(other than the initial one) is reached with weight 0. Let Q + , Q~ be two isomorphic 
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copies of Q (and g + , q denote the copies in Q + and Q of some state g G Q), we 
can now construct S' = (Q',R',£ f ) with Q' = Q U Q+ U Q~, f (g) = i{q) if g G Q 
and ^(g±) = %) U {ok}, and 

R' = {gi -> g 2 | (gi,g 2 ) G 

U {gi ->• gj | Qi — > 92} U {qf q£ | gi g 2 V (gi, g 2 ) G 

u {<?i -» g 2 I gi ^7x72} u {gf g^ I gi ^g2 V (gi,g 2 ) g i? }. 

it it 

In order to eliminate finite paths, we additionally complete iS' with a dummy state 
q± and transitions from every state to q± and a loop from q±_ to itself. We let 
£'(l±) = {V 7 }; which will be explained in detail later on. 

The set of states of S' is divided into four subsets: states in Q correspond to 
the states reachable with weight in S, and states in Q + and Q~ are the states 
reachable with weight strictly more or strictly less than 0. Paths in S' ending in 
the dummy state may not correspond to actual paths in S, but they correspond to 
situations which are irrelevant to solving the problem. Since a path going from Q to 
Q + , and then from Q + to Q is captured by the relation Rq, we can omit transitions 
going back to Q from Q + (and similarly for Q~). Hence all runs of S' either stay 
forever in Q, eventually reach Q + or Q~ and stay there forever, or reach the dummy 
state and stay there forever. 

We now define the CTL formula ^ as E(->ip V ok) W (-k/j A (->ip V ok)) and claim 
that q \=s> ^ if and only if q \=g The idea of the proof is to show that if <J> is 
not satisfied from some state q in S then one can find a path from q in S' satisfying 
VP, and conversely that finding a path satisfying ^ from q over <S' is sufficient to 
disprove $ from that state in <S. 

Lemma 4.2. q (=5 -i<5 =^> q (=5/ ^. 

Proof. There are several ways in which <I? may fail to hold over S: 

(a) There exists a path p in S along which a state q\ \= —up appears strictly before 
the first state satisfying ip and reached with weight 0. Let pigi be the shortest 
prefix of p such that gi |= -up and either gi (= -up or ||pigi|| ^ 0. 

(i) If gi |= -iip and ||/0igi|| = 0, then by definition of Rq there must exist 
a path p'y from g to gi in S' whose intermediate states all satisfy —>ip. 
Consequently, any infinite continuation of p' must satisfy -iipW(-xpA-iip), 
which implies that g (=5/ 

(ii) If ||pigi|| 7^ 0, then we can write pigi = /0 2 g 2 p3gi where p 2 g 2 is the 
longest prefix of p\ of weight 0. By definition, g 2 /03gi starts with a non-0 
transition and has no prefix of weight 0, hence by definition of S' there 
must exist a finite path p' = p^&p'zlt in S' such that all intermediate 
states of p' 2 q2 satisfy —up and all intermediate states of p'^qf 1 satisfy ok. 
Hence any continuation of p' must satisfy (pip V ok)W(-iy? A ok), which 
implies that q (=5/ ^. 

(b) There exists a path p in S along which no state satisfying ip ever appears at 
the end of a prefix of weight 0. We assume that <p consistently holds along the 



is called the weak until modality, and ipV\ltp holds along a path if either Gip or (pUip does. 
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path, otherwise it comes down to the previous case. There are again two cases 
to consider: 

(i) If p has infinitely many prefixes of weight 0, then by definition of Rq there 
must exist an infinite path p' in S' whose intermediate states never leave 
the set Q and all satisfy -up. Therefore p' satisfies G~up, which implies 
that q \=s> VP. 

(ii) If p has finitely many prefixes of weight 0, then using ideas similar to 
the above, one can decompose it as P1P2, with p\ its longest finite prefix 
of weight 0, and p2 an infinite path with no prefix of weight 0. This 
implies the existence of a corresponding path p' in S' with a finite prefix 
remaining in Q whose states all satisfy —tip and an infinite suffix remaining 
in Q + or Q~ whose states all satisfy ok. Therefore p' must satisfy G^ip V 
ok, which implies that q \=s> VP. □ 

Lemma 4.3. q \=s> VP => q \=$ 

Proof. The proof is very similar to that of the previous lemma. Let us consider a 
path p' in S' satisfying VP. There are two main possibilities: 

(a) The path p' consistently satisfies -tip V ok. We distinguish two cases. 

(i) If p' never leaves the set Q (and thus consists only of edges representing 
the relation Rq), then there must exist a corresponding path p in S visit- 
ing at least the same states in the same order (since Rq is a restriction of 
the reachability relation of <S). Moreover, all states reached with weight 
in p must appear in p' (by definition of Rq). Now whether or not the 
states in p satisfy (p, <J> cannot be satisfied in S from q since no state 
reached with weight satisfies ip along p. 

(ii) If p' eventually leaves the set Q, and since there are no transitions out 
of Q + and Q~ except to the dummy state q± (which satisfies ip but 
not ok), then necessarily p' can be decomposed into p'\q\p'i where p\q\ 
is a finite path in Q necessarily satisfying G-n/> and pi is an infinite 
path either in Q + or Q~ necessarily satisfying Gok. As previously, this 
implies the existence of a corresponding path p in S, where the part 
corresponding to p[ never visits a state satisfying ip with weight 0, and 
the part corresponding to p2 never reaches weight again. Thus <P cannot 
be satisfied from q in S. 

(b) The other possibility is that p' can be written p'-^qxp'^, where p[ satisfies G-i-0 Vok 
and q± satisfies -192 A {-up V ok). Again there are two possible cases. 

(i) If qi e Q, then p[ only visits states satisfying -<ip, and q\ \= -193 A ->ip. 
As previously there must exist a corresponding path p\ in S visiting at 
least the same states in the same order. Now since by definition of Rq all 
0-weight prefixes of p\ end in states appearing in p' and satisfying -tip, 
and since q± satisfies -199 A -up, no continuation of piqi in S can satisfy 
ip\J =0 ip. 

(ii) If q\ Q, then necessarily q\ € Q + U Q~ (since q± Y= -tip V ok) and 
q 1 |= -up A ok. Consequently one can write p' x = P2Q2P3 such that q2 G Q, 
p' 2 never leaves Q and p'% never leaves either Q + or Q~ . Moreover, all 
states in p' 2 q2 satisfy ->ip. One can thus build in S a finite path p from q 
to qi going through q 2 , in which no state reached with weight up to <?2 
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(and thus also up to qi) satisfies ip, and all states occurring after q 2 (in 
particular qi) are reached with non-0 weight. Hence since gi |= —«p, this 
implies that no continuation of p can satisfy (p\J = Qip. □ 

(5) $ = Aip\J = kip- This case is similar to the previous one with slight modifications of 
the construction. We first assume k to be positive, otherwise we can replace S by 
an identical structure in which all weights are inverted and solve the formula with 
parameter —k. We then inductively compute 

R k = R [k/2\ ' R ik/2] with Ri =R - 

and Rq defined as previously. R^ is the reachability relation in G$ by paths of 
weight k whose prefixes all have weight strictly less than k. We also compute, using 
for instance a modified Floyd- Warshall algorithm in which all integers greater than 
or equal to k are assimilated to oo, the reachability relation R~ k = {(q,q') \ 3a = 
q<j'q',Vp<<J, IMI <k}. 

We now construct a Kripke structure S' as in the previous case, except that 
Qi = Q u Q init UQ+UQ-U {q ± } (where Q mU is yet another copy of Q and q mit 
denotes the copy of q in Q imt ) and R' also contains {g* m * — >■ q 2 | qiR^q2} U {qf 111 — > 
<h I QiR^kQz}- We- additionally label states in Q mit with the atomic proposition 

ok. With this new Kripke structure, we can show that q \=s if and only if 
q init | =5 , q, 

(6) $ = AipU^kif) with ~€ {<, <, >, >}: Let us first treat the case where ~ is <. We 
assume k to be greater than or equal to 0, otherwise we invert all weights in S and 
solve the problem using the procedure for $ = A(p\J>-kip- We essentially use the 
same procedure as for the previous case (= k), with a few modifications: 

(a) Relations R~ have to be computed over the restricted set of states Q' = {q € 
Q \ q \= because we have to make sure that no "hidden" intermediate 
state reached after a path of weight less than k satisfies ip; 

(b) States in Q~ should no longer be labelled by atomic proposition ok, because 
paths which ultimately remain in Q~ may correspond to paths in S satisfying 
$, and thus should not satisfy VP unlike previously; 

(c) Similarly, we remove the label ok from states in Q imt , in other words \/q € 

q £ ,( q initj = 

In the case where ~ is >, we simply need to re-label states in Q mit and Q~ with 
ok, and remove ok from the labelling of Q + . Cases where ~ is < and > are dealt 
with by adding the ok label on states in Q in the constructions for < and >. 
This concludes the proof that deciding the satisfaction of a TCTL formula from a given state 
of a DKS -1 / / 1 is in P. □ 

Theorem 4.4. The model- checking problem for CCTL±i is P-complete. 

Proof. As usual, P-hardness is inherited from CTL. Membership in P is done by reduction 
to TCTL model-checking over DKS -1 / / 1 . 

We provide polynomial-time procedures to deal with the sub-formulas E^Ur^i^ and 
A(^U[c]V> with C = J2i=i a i'A ( Pi ~ k where ctj G {—1,1} and k G Z. Consider a Kripke 
structure S = (Q,R,£), and inductively assume that the truth values of ip, ip and (pi over 
each state of S are known: these sub-formulas will be seen as atomic propositions in the 
following. 
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To each state q occurring along a path, we associate a cost \q\c = J2{ a i I 1 N Vi)-> an d 
note that the value of \q\c is in 0(|C|). This cost is additively extended to paths in the usual 
way. Deciding the truth value of the path formula <p\)\<3\ip then amounts to checking whether 
there exists a finite prefix p'q of p such that \p'\c ~ k, q \= tp and Mi < \p'\,p'(i) \= (p. 

Given the type of our counting constraints, each state contributes to the cost of a 
path by a certain positive or negative number whose absolute value is bounded by d = 
max (Z){ Q i I a i = l};X){l a «l I a i = ~ !})• The idea is to build a durational Kripke structure 
with weights in {—1,0, 1}, by adding (at most d + 1) copies of each state in the original 
Kripke structure. 

Formally, we build from S a DKS" 1 / / 1 S' = (Q',R',£') as follows: for each state 
q S Q with \\q\c\ = n, Q' contains n + 1 additional states qo, . . . ,q n . R' is then defined as 

{9 go I 9 G Q} U {?„ A g' (q,q') € R,n = \\q\c\} U ft+i | q G Q,i < ||<?|c|} 

with 5 q = 1 if \q\c > and (5 g = — 1 otherwise. Finally, we set = f° r an Qi £ Q' \Q 

and ^'(g) = U {ok} for all q € Q' r\Q, where ok is a new atomic predicate. 

To each path p = qo in S, we associate the path p = qq$ . . . q n a in <S'. It can now 
be shown that p satisfies (pU^-iip if and only if p satisfies the TCTL path formula (ok =4» 
V?)U[^fc](ok A ip), and consequently that some state q satisfies A(pU\c]ip (resp. Etpli^ip) m 
S if and only if it satisfies A(ok => (p)\J^ k ](ok A ip) (resp. E(ok => <^)U[^fc](ok A ip)) in S' . 

Suppose p \=s ip\J\c]ip- We reason by induction on the least integer i such that 
P\i-i \=S C, p(j) \= s Lp for all j < i and p(i) \= s ip. If i = 1, then p(l) \= s ip and 
thus p(l) \=s> ip (recall that ip is seen as atomic). Otherwise, p = qp' with q \=$ <p 
and p' \=s <pU\p/]ip with C = Xa=lttVi ~ & — in other words Pu_ 2 \=S C' and 

p'(i — 1) |=5 V*- By induction hypothesis, we have p' \=s> (ok^^)Ur^_| 9 | G i(ok Atp). Hence 
p= qq ...q\ q \ c p' \=s> (ok^ ^)U[^ fe] (ok A ip). 

Conversely, consider a path p in S' starting with some state q £ Q such that p \=s> 
(ok=>-<p)Uu,fc](ok A ip), and as previously let i be the least integer such that |pij_i| ~ k, 
p(j) \=S' (ok for all j < i and p(i) \=s> (ok A ip). By construction of S' , there 

must exist a unique path a in S such that a = p. We show by induction on i that 
a \=s tp\Jip\ip. If i = 1, then p(l) |=s> ok A ^, in which case <r(l) (=5 ^ holds in S. 
Otherwise by construction of S' there must exist q' £ Q such that p = qqoqi ■ ■ ■ q n q'p' 
and q'p' (=5/ (ok => v)U[^fc_| g | c ,] (ok A ip). Let <r = qq'a' , by induction hypothesis we have 
q'a' ^ 5 yU[c]^ with C = Ya=i tt<Pi ~ * ~ Hence a |= 5 ¥>U[ C ]^. □ 

This result implies the following corollary on the complexity of model-checking for all 
fragments of intermediate expressiveness: 

Corollary 4.5. The model- checking problem for CCTL\ is P-complete. 

Note that this weaker fragment allows considerable simplification of the proof presented 
above for CCTL-ti. Moreover, model-checking CCTLi can be done using the TCTL model- 
checking algorithm provided in [LST03) instead of the more involved construction used for 
Prop. ED 

4.2. Model-checking CCTL A i, CCTL and CCTL A . We now establish the complexity of 
model-checking for the fragments CCTL A i, CCTL and CCTL A and show that these problems 
are all A% -complete. Let us first recall the definition of the complexity class A£ , one of the 
classes of the polynomial hierarchy. 
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Figure 1. Kripke structure associated to an SNSAT problem. 

Definition 4.6. Ar? = P NP is the class of problems solvable in polynomial time with access 
to an oracle for some NP-complete problem. 

We now prove A^-hardness of the model-checking problem for CCTL A i. 
Theorem 4.7. The model- checking problem for CCTL^i is A^-hard. 

Proof. We proceed by reduction from the Ag-complete problem SNSAT (sequentially nested 
satisfiability of propositional logic) [LMSOlJ. 

Given p families of variables X±, . . . X p with Xi = {xj, x™} and a set Z = {z±, . . . , z p } 
of p variables, an instance I of SNSAT is defined as a collection of p propositional formulas 
(fl,...,<Pp under 3-conjunctive normal form (3-CNF), where each (pi involves variables in 
Xi U {zi, ...,Z{-i}, and the value of each Z{ is defined as z,- L = (fi(z±, Zi-i, Xi). The 
instance I is positive iff the value of z p is T. We denote by vx the unique valuation of 
variables in Z induced by X. 

From Z, we define the Kripke structure described in Figure [TJ Every state Z{ or x\ is 
labeled by its name, every state fj is labeled by some new atomic proposition z and every 
state of the form is labeled by q. We use X to denote the set X% U • • • U X p and V for 
X U Z. A path p from q p to qF describes the valuation v p such that v p (y) = T if p visits 
state y and _L if it visits y for every variable y in V. We use a CCTL A i formula to ensure 
that v p coincides with v% over Z, that is: v p (zi) = T iff vx(zi) = T for any i G {1, . . . ,p}. 

Let (fi be the formula ifi where every occurrence of the literal x is replaced by §x = l. 
We define the CCTL A i formula as T and for every 1 < k < p, ^/^ as EX(E(z =>■ 

^ k -i)\J [Ck] q F ), with C k = A^<fc ((N = 1) => <Pi) A A)=i ((to = i) =>■ The first 

part of the constraint C/% aims at ensuring that vJzg) = T is witnessed by a valuation for 
{zi, . . . , z^-i} U satisfying The second part ensures the formula ipj is satisfied by v p 
when V&fc is interpreted from Zj or Ej (i.e. when the number of q's along the path leading to 
qF is j). The formula \Pj holds for a state qi with i < j when vx(zi) is T. The embedding 
of tyj-i inside ^fj is used to ensure that going through a z m with i > m is always necessary 
w.r.t. X (i.e. there is no way to satisfy the corresponding (p m ): 

Lemma 4.8. For any i = 1, . . . ,p and i < j < p, we have: Zi (= vxizi) = T and 

Zi Y= 44> = 1 

Proof. First note that the truth value of at and is the same, due to the structure 
of paths and the fact that tyj begins with operator EX. Therefore, both statements of the 
lemma are actually equivalent. Their proof is done by induction on i. 

• i = 1: Any formula $j with 1 < j < p holds from z\ iff qo satisfies EF^.^qp. 
And given the definition of Cj and the structure of any path starting from qo, this 
is equivalent to qo \= EF^—^qp- And this last requirement is clearly equivalent to 

the existence of some valuation for X 1 to satisfy y>\. Finally note that Z\ ^= is 
equivalent to qo \= -^EF^qp and then vx{z\) = J_. 
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• i > 1: Knowing whether z$ |= is equivalent to gj_i |= E(z => -i^ r - 7 _i)Ur ( 7'i qF 

where Cj is the constraint Cj = A,.£<t(tU^ = 1 =^ ^) A ^i- This entails that there 
exists a path p leading to qF and defining a valuation v p such that: 

— for any visited zt with £ < i, we have u p |= 

— for any visited ze with I < i, f is true, and then holds from %£. By 
induction hypothesis we have vx(zi) = _L; and 

— v p \= tpi. 

These three conditions define a valuation v p that coincides with v% for {zi-i, . . . , Zi} 
and such that there exists a compatible valuation for satisfying </?j, thus vx(zi) = T. 
Now if Zi ft= \S>j, then |= -iE(f => -nFj.jJUp] g^ and then vi(zi) ^ T. □ 

It is now sufficient to check whether go satisfies ^ p or not, and then deduce the truth 
value of vx(z p ). □ 

Note that in the previous proof, one does not use sums in the constraints to get the 
complexity lower bound. 

Theorem 4.9. The model- checking problem for CCTL is A^-hard. 

Proof. We provide a reduction from the model checking problem for TCTL specifications 
over Durational Kripke structures. TCTL formulas allow to deal with the cost (or duration) 
of paths (i.e. the sum of the weight of every transition occurring along the path). This 
problem is A^-complete [LMS06j . Let S = (Q,R S ,£) be a DKS. Let W be the set of 
weights occurring in S. We define the Kripke structure S' = (Q',Rs',£') as follows: 

• Q' = QU{(q,d,q') | 3(q,d,q') £ R s }, 

• for any (q, d, q') G Rs, we add (q, (g, d, q')) and ((g, d, q'), q') in Rgt; and 

• e : Q' ->■ 2 AP ' with AP' = AP U {ok} U {P d \ d e W}, assuming ok,P d £ AP. And 
we have: £'(q) = £(q) U {ok} for any q G Q, and £'(q, d, q') = {P d }. 

We also inductively define $ for any TCTL formula $ as: P = P, —>ip = ^ip, <p A ip = <p A ip, 
E<p\J^ c ip = E(ok => (^)U[ C ^ c ](ok A ip) and A<p\J^ c ip = A(ok <p)\J[ C ^(ok A rp) with C^ c = 
J2d&w d-$P d ~ c. ^ 

Now we can easily see that q \=$ <3? with <3? G TCTL is equivalent to q \=s> D 

Theorem 4.10. The model- checking problem for CCTL A is in A%. 

Proof. Let S = (Q,R,£) be a Kripke structure. For this proof, by definition of A£, it 
is sufficient to provide NP procedures to deal with sub-formulas of the form EF^jy and 
EG[c]</? (Cf. Rem l2.6p . First let {C\, . . . , C m } be the set of atomic constraints occurring in 
C. Each Ci is of the form X)je[i,n 4 ] a ) ' ~« And let k be the maximal integer constant 
occurring in C. We can now present the algorithms: 

• cj? = EFpj'0: If q \= <J>, then there exists a run pg' starting from q such that g' |= ip 
and p |= C. First note that we can assume that the length of p is bounded with 
respect to the model and formula (more specifically by m- \Q\- (fc+1)): a sequence of 
| Q | states contributes for at least 1 to some linear expressions in C (loops containing 
only 0-states can be avoided since they do not contribute to the satisfaction of C) 
and every atomic constraint in C needs at most to collect a total weight of k + 1. 
Hence the length of p is in 0(|Q|.2' C '') due to the binary encoding of the constants. 
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An easy NP algorithm consists in guessing the Parikh imag d F p : R ->• N of the 
sequence of transitions in p, where F p (r) with r £ R is the number of occurrences 
of transition r in p. As the length of p is bounded by m • \Q\ ■ (k + 1), F p can be 
represented in polynomial size. Moreover one can check in polynomial time that: 

— q' satisfies iJj, 

— p satisfies C, since fl^} = Er | r\=<p* Y J {r,r')eR F P { r , r ')- 

— F p corresponds to a correct path in S (by verifying that the sub-graph induced 
by F p is connected and then applying the Euler circuit theorem). 

• 3> = EG[c]V : For this case we have to find an infinite path p satisfying the property 
"whenever the current prefix satisfies C then the next state has to satisfy ip v . 

Every atomic constraint C, in C may change its truth value at most twice along p. 
Therefore p can be decomposed in at most 3m parts (pj)jg[i,3m] along each of which 
the truth value of every C% is constant. Of course a part can be empty (restricted 
to a single state) and the last part must contain a cycle to ensure that p is infinite. 

As previously, the length of every pj is bounded and its Parikh image can be 
encoded in polynomial size. Moreover it is possible to ensure that each pj ends at 
the starting state of Pj+i- Finally we can also compute the truth value of C over any 
sequence p\ . . . pj and then verify whether tp holds for any state in such a sequence 
if necessary. □ 

A direct corollary of Theorems 14. 7\ |4"U1 and 14". 1UI is: 

Corollary 4.11. The model- checking problem for CCTL, CCTL^i, CCTL^ is A%- complete. 



4.3. Undecidability. 

Theorem 4.12. The model- checking problem for CCTL^±\ is undecidable. 

Proof. This is done by reduction from the halting problem of a two-counter machine M 
with counters C and D, and n instructions Ii,...,I n . Each Ij is either a decrement 
(if X=0 then j else X — , k) where X stands for C or D, an increment (X++ , j), 
or the halting instruction (halt). We define a Kripke structure Sm = (Q,R,£), where 
Q = {(7i> • • • ; In} U {fi-, Si,ti | Ii = (if •••)}• The transition relation is defined as follows: 

• if h = (X++, j), then (qi,qj) G R ; and 

• if Ii = (if X=0 then j else X—,k), then (?i,rj), (ri,q k ), (%,Sj), (si,U), and 
(U,qj) in R. 

The labeling I is defined over the set {halt, C®, C e , C°, C 5 , D®, D®, D°, D 5 } as £( qi ) = 
{X®} if Ii is an increment of X, £(n) = {X e }, £{ Si ) = {X } and £{U) = {X } if I { is a 
decrement for X, and £{qi) = {halt} if Ii is the halting instruction. 

A run going through Sj and ti for some i will simulate the positive test ll X = 0": we 
use the propositions X° and X° to observe this fact. Indeed along any run in S_m, a prefix 
satisfies §X > f)X° if and only if that prefix ends in some state Sj, which witnesses the fact 
that the counter's value was deemed equal to zero. The propositions on the other states are 
self-explanatory, witnessing increments and decrements of counters. 

^Recall that the Parikh image of a sequence u over some alphabet A is the function mapping each symbol 
in A to its number of occurrences in u. This is also equivalently seen as a vector of dimension \A\ called the 
Parikh vector of u. 



20 



F. LAROUSSINIE, A. MEYER, AND E. PETONNET 



Checking CCTL A -i-i on this structure solves the halting problem, since A4 does not halt 
if and only if q\ \=s M EG[c]_L with the following constraint: 

c = (tthait > l) v V ((pr® - pc® < o) v (pc® — jja® > o a p: 5 - %x° > o)) 

xe{c,D} 

This formula states that there exists a run where C is consistently false, where C is true 
either if the run terminates, or if the simulation of A4 is wrong because the number of 
decrements is at some point larger than the number of increments, or because some counter 
was incorrectly assumed to be zero while simulating a test. □ 

5. Satisfiability 

Here we address the satisfiability problem: given a formula does there exist a Kripke 
structure S = {Q, R,£) with a state q G Q such that q \= <&? 

For branching-time temporal logics, satisfiability problems are often harder than model 
checking (contrary to linear-time temporal logics) |Eme90| . this is also the case for our 
counting logics. As soon as diagonal constraints are allowed (as in CCTL±i or CCTL±), 
satisfiability is undecidable: this can be easily shown by adapting the undecidability proof 
of CCTL A ±i model checking: 

Theorem 5.1. The satisfiability problem for CCTL±\ is undecidable. 

Proof. As in the proof of Theorem 14.121 consider a two-counter machine M with counters 
C and D, and n instructions I±, . . . , I n . We build a CCTL-ti formula &m that is satisfiable 
iff M halts. 

We use the following set of atomic propositions: AP = {qi, . . . , q n , C®, C e , C°, D®, D®, 
D°,halt}. The CCTL±i formula describes a linear KS whose every state is labeled 
by exactly one qi corresponding to the current state of A4 and one proposition in V = 
{C®,C®,C°,D®,D®,D°,halt} that indicates the operation that has to be done (A® and 
A® are used to mark increment and decrement of A, and A labels states corresponding 
to an instruction "if A == ..." when the current value of A is 0). In the following we 
use I_m(A) (resp. Tm(A)) to denote the set of instruction numbers corresponding to an 
increment (resp. a test) of counter A. is the conjunction of the following formulae: 

(1) ag( \/ (ft A A ^)) 

i=l. ..n jy^i 

(2) AG(\/(PA A V)) 

pg-p p'ev\{ P } 

(3) for every instruction, we have a step formula $j: 

f AG (q. t (X® A AX q 3 )) if h = , j) 

$i = I AG (ft ( ( Ao A AX qj ) V (A e AAXgfc))) if Jj = (if X=0 then j else A — ,k) 
[ag(% =► (halt A AX halt)) if h = (halt) 

(4) no zero test succeeds when the actual value of the corresponding counter is strictly 
positive (i.e. after a prefix witnessing strictly more increments than decrements), 
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and no decrement is performed when that value is 0: 

A (AG[ttxffl-Sxe>o](~ , ^°) A AG[ tt j f e =t jxe](^^ e )) 
xe{c,D} 

(5) AFhalt 

Clearly $ is satisfiable by a finite KS iff A4 terminates. □ 

For logics with no diagonal constraints, satisfiability remains decidable, with an addi- 
tional cost compared to classical CTL. 

Theorem 5.2. The satisfiability problems for logics ranging from CCTL\ to CCTL A are 
2-EXPTIME-complete . 

Proof. Hardness comes from the complexity of RTCTL = satisfiability [EMSS92J: this logic 
is an extension of CTL with an Until operator equipped with constraints of the form " = k" 
over the number of transitions leading to the state satisfying the right part of the Until. 
This result is based on an encoding of an exponential space alternating Turing machine by 
a RTCTL = formula. Clearly, RTCTL = is included in CCTLi. 

2-EXPTIME membership directly follows from the translation given in Lemma 13.11 
any CCTL A formula can be translated into CTL and the resulting formula's DAG-size is 
m 0{2^\ 2 ). It remains to use an exponential algorithm for CTL satisfiability to obtain a 
2-EXPTIME procedure (note that considering DAG-size instead of standard size does not 
matter for the complexity of the CTL procedure: indeed, in [KVW00J for instance, the size 
of the alternating tree automaton built from a given CTL formula is its number of distinct 
subformulae) . □ 



6. Extensions 

In the semantics of CCTL modalities, each new path quantifier resets the counting along 
a run, or more precisely starts counting anew on the remaining portion of the run. This 
restriction is quite significant, and ensures in particular that CCTL is a state-based temporal 
logic. Under some circumstances (as well as for the sake of completeness), it could be useful 
to relax this hypothesis and consider logics in which nested modalities do not necessarily 
reset the counting process. 

In this section, we define two logics that allow this behaviour. The first one, called 
CCTL V , uses explicit variables to keep track of the number of times a sub-formula was made 
true along the current run since the variable was bound. The second logic, called CCTL C 
uses a special reset modality and a different, cumulative semantics for Urq, where counting 
ranges over the whole portion of the run since the last reset (hence potentially since the 
very beginning of the run). This logic is interpreted over states with a history. 

6.1. Explicit variables. Instead of using counting constraints associated with temporal 
modalities, we now consider a logic equipped with explicit variables and constraints directly 
stated inside formulas. 
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Definition 6.1. Given a set of atomic propositions AP and a countable set of variables V, 
we denote by CCTL V the set of formulas of the form 

I 

tp,ip ::= P | tp V ip | -up | EipUtp \ AipUtp \ z[ip].tp | Oj ■ Zj ~ c 

i=l 

where P G AP, 2, Zj G V, a», c G N and ~ G {<, <, =, >. >}. 

Intuitively z[ip].<p means that variable z is defined and may be used in formula tp, where 
it will stand for the number of times formula ip was observed to be true along the current 
run since z was defined. 

More precisely, when the above formula is evaluated in a certain state, (1) variable z 
is reset to zero and bound to the sub-formula tp, (2) at each subsequent step of a run, z is 
assigned the number of states in which formula ip has held along this run since z was bound 
(i.e. the value of z evolves like §ip as in Definition 12. 3|) and (3) given this semantics for z, (p 
holds in the current state. 

Remark 6.2. The logic CCTL V can easily express any CCTL A property. Indeed, any CCTL A 
formula E^Up]^, where C is a boolean combination /(Ci, . . . ,C m ) of atomic constraints 
Ci = Y^jLi ~ kii i s equivalent to the CCTL V formula 

zl[<p\}.4[<pl] ■ ■ • OEJ-E^uty a f(c[, c m )) 

where C[ = Y^j=i z j ~ ^» ( an d similarly for the A-quantified modality). This translation 
yields formulas whose size is linear in that of the original formulas. 

For example, the CCTL A i formula EF^ P<5A ^pi >2 ]P" , stating that there exists a run 
along which a state satisfying P" is reached after at most 5 occurrences of P and more than 
2 occurrences of P', can be expressed in CCTL V as z\[P].zl[P'}.EF(z\ < 5 A z\ > 2 A P"). 

We first introduce some notations. Given a function / : E —> F,we denote by dom(/) C 
E the domain of /, and by ran(/) C F its range. For x G E and a G F, let f[x <— a] be the 
function mapping x to a and every y G dom(/) \ {x} to f(y), and /\d be the restriction of / 
to some subset D of E. Moreover we let cl(<£>) be the set of all sub-formulas of <p> and V(<p) 
denote the set of all variables occurring in ip. An occurrence of some z G Vfif) is bound if 
it occurs in the right-hand side tp of some sub-formula ^[V']-^ ^ c1 (*)j an d f ree otherwise. 
A variable is free in ^ if it has at least one free occurrence. A formula without any free 
variable is called closed. Formally, the set FV(^f) C V(^) of free variables of ^ is 

FV(tp\ V cp 2 ) = FV(Etp 1 Ucp 2 ) = FV(Atp 1 Utp 2 ) = FV(tpi) U FV(tp 2 ) 

FV(P) = FViji^ai - Zi ~c) = { Zi \ i G [1,1]} 

FV(-i(p) = FV{tp) FV(z[ip].tp) = FV{^j) U (FV{tp) \ {z}) 

Remark 6.3. In order to define the formal semantics of CCTL V , one must be able to deter- 
mine, in a given context, which sub-formula ip is bound to each variable z. For simplicity, 
we will henceforth make the following two assumptions on the syntax of formulas: 

(1) In any formula, every variable is bound at most once. In other words, every subfor- 
mula deals with a distinct variable z. 

(2) In any formula there exists a (strict) total ordering -< on V(&) such that any 
formula bound to some variable z only contains occurrences of variables less than 
z, or more formally, for any sub-formula -zIV'l-V 9 °f ^> z> £ V(ip) implies z' ~i z. 
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Note that neither assumption restricts the expressiveness of the logic, since one may eas- 
ily rename variable occurrences in any formula to fulfill constraint Q3 and order variables 
according to an infix traversal of a formula's syntax tree to fulfill constraint [2j 

We call environment any partial function e : V — > CCTL V . A pair (<£,£) where is 
a CCTL V formula and e is an environment, is a called a closure. We distinguish a specific 
class of closures, called consistent, defined as follows: 

Definition 6.4. A CCTL V closure (<£,£■) is said to be consistent if 

(1) dom(e) n = FV(<f>); 

(2) for all z G dom(e) and z' G FV(e(z)), z' G dom(e); 

(3) for all z G dom(e) and z' G V(e(z)), z' -< z. 

Condition (1) guarantees that the environment for <1> defines at least all free variables in 
(and potentially some additional variables not occurring in <&) and does not redefine any 
of <J>'s variables, condition (2) that e does not refer to undefined variables and condition (3) 
that there are no cyclic definitions. Note that for any closed formula <3?, (<&, e ) is consistent, 
where e is the empty environment. 

A consistent CCTL V closure (<p,e) is interpreted over a state of a Kripke structure 
extended with a valuation v : V — > N such that dom(-u) = dom(e). Given a consistent 
closure (*p,s), a valuation v such that dom(v) = dom(e), and a finite run tt of a Kripke 
structure, let v + £ tt be the valuation describing the values of variables in dom(-u) after 
following tt (i.e. once the states of tt have all been visited and belong to the past): at each 
step along tt, the value of every variable z G dom(v) is updated to take into account the 
truth value of s(z). Formally v + £ tt is defined inductively as: v + e tt = v if \tt\ = (i.e. tt 
is the empty sequence), and (v + £ tt ■ r)(z) = v'(z) + 1 if (r,v',e) \= e(z) (the satisfaction 
relation |= is defined below) and (v + £ tt ■ r)(z) = v'(z) otherwise, where v' is the valuation 
v + £ tt and r is a state. 

Definition 6.5. The following clauses define the satisfaction of a consistent CCTL V closure 
(tp, e) from the state q of some Kripke structure S = {Q, R, £) under valuation v with 
dom(u) = dom(e) - written (q,v,e) \=$ (p - by induction over the structure of <p (we omit 
the cases of Boolean modalities) : 

iff (qM z <- % £ \ z <- ^]) hs V, 

(q, v, e) ^ s El=i oii- Zi~ c iff Ya=i a i ' v ( z i) ~ c > 

(q,v,e) |=5 E(p\Jip iff 3p G Runs(g) s.t. (p,v,e) \= s <p\Jil>, 

(q,v,e) \=s A<pUifi iff Vp G Runs(g),we have (p,v,e) \=s tpliip, 

(p, v, e) \= s (pllip iff 3i > s.t. (p(i),v + £ p\ i - 1 ,e) \=s i> 

and V0<j<«, (p(j), v + E p\j- U e) ^5 (p. 

When there is no risk of confusion, we may omit subscript S, and simply write (q, v, e) (= 
p. For any closed formula <&, only the state q is relevant and we will simply write q \=s 
or directly q \= Remark that, when evaluating a closed formula according to the above 
semantic rules, only consistent closures are built and considered. 

Finally, as a technical tool for the following proofs, we consider the set of relevant 
variables of a closure, that is the set of variables whose current value is required to decide 
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whether the formula holds for a given state. Given a consistent closure we define 
RV($,e) as follows: 

RV(z^]. v ,e) = RV( V ,e[z^^])\{z} (6.1) 

RViE^U^e) = RV{A Vl Uif2,e) = RV(<px V ip 2 ,e) = RV(<p 1: e) U RV(<f>2,e) (6.2) 

RV{^ip,e) =RV(ip,e) (6.3) 

RV(P,e) =0 (6.4) 

RV(zi~c,e) = {zi}U RV(e( Zi ),e) (6.5) 

Note that relevant variables in formula if) are only added to RV(z[ip].(p,e) when Zi occurs 
in formula (p, i.e. in case (|6.5|) above. Clearly FV(^) C RV(^,e) C V( 1 J r ). Moreover by 
Def. E3 for every z' G e), z' -< z. 

Example 6.6. Consider the consistent closure (^,e) with 

$ = z 4 [P / ].EF(z 4 >2Az 2 = 4) and e = {*i ^ P,z 2 ^ EX(*i > 2), z 3 h-> P"}, 

we have FF(vl/) = {2:2} and ,e) = {z2,zi} because z\ occurs free in £(^2), hence 

RV(e(z 2 ), e) = {z\} by Eq. (j6.5|) . Of course 2:3 belongs to neither set because it occurs 
nowhere, and z± because it is bound in ^ and RV(e(z±), s) = 0. 

Given a closure (^,e) and a valuation v, we denote by vq, the restriction v\Ryr-$ e \ of v 
to the domain flF(f ,e) (and e$ is the corresponding restriction of e). The set RV(^,e) 
contains the relevant variables for evaluating as stated by the following lemma. 

Lemma 6.7. For any consistent closure (^,e), the closure is consistent. Moreover, 

let v be a valuation over dom(e) and q a state, 

The proof of this lemma is straightforward. In the remainder of this section, we will 
study the expressiveness of this logic, as well as the complexity of its model-checking and 
satisfiability problems. 



6.1.1. Expressiveness. Similarly to CCTL formulas without diagonal constraints, we show 
in this section that any closed CCTL V formula can be translated into an equivalent CTL 
formula. 

Proposition 6.8. For every closed CCTC formula there exists an equivalent CTL for- 
mula of dag-size \ 

Before presenting the actual translation, we show that variable values may be bounded 
without changing the satisfaction of a formula. For a valuation v and an integer K, let us 
denote by vk the restriction of v to the domain {z € dom(t>) \v{z) < K}. 

Lemma 6.9. Let (f,e) be a consistent CCTL V closure, and K the maximal constant oc- 
curring in a constraint in (p or e. For all Kripke structure S, state q of S and valuations v 
and v' over dom(e), we have: 

vk = v' k =J> ((q,v,e) isi,v',e) \= s <p). 
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Proof. A reformulation of vk = v' K is v(z) < K => v(z) = v'(z). For each free variable z 
whose value by v is greater than K, the truth value of any constraint where z occurs will be 
the same for v(z) and any other value greater than K, in particular v'(z), since the constant 
in the right-hand side of the constraint is at most K. This is true in q, and remains true 
along any run from q. □ 

For any consistent closure ((p, e) and for some valuation v with dom(-u) = dom(e) = 
RV(ip,e), we define the CTL translation \jp\ v E by induction on the structure of tp. The case 
of boolean connectives and atomic formulas is trivial: 

{fh A « = Meg A IMZl l P le = P hffe = (6-6) 

Variable definitions and constraints are also straightforward. It suffices to update and use 
the valuation and environment suitably: 

[,M.^L = M £ Ui IE, a* • ^ ~ c] e = | ± otherw . se (6.7) 

Dealing with temporal modalities is more complex, and justifies the introduction of auxiliary 
formulas. Similarly to the translation of CCTL to CTL, the idea is to successively evaluate 
each formula e{z) which is relevant to the truth value of the whole formula, and to update 
the valuation accordingly. However, since variable values strictly larger than K (where 
K is the largest constant occurring in the formula or the environment) are all equivalent 
according to the previous proposition, it is only useful to evaluate formulas e(z) such that 
v{z) <K. 

[E^UVC = E(M£ A6*)U[M3 V (M%AT« e (E<pU4,6om(v K ),v))] (6.8) 
with 0^ = A^Gdom(t)K) ( _, I e ( z )l£e(z)) an d' for Z ^ 0, z £ Z and v' a valuation: 

r £ (E^,z, v ') = (n[ e (2)]:j:>Ar?(E^,z\{ z }y)) 

and finally: 

f 1 if u = «/, 

r^(E^,0, U ') = i / (6-10) 

e iEX[E^U^]^ otherwise. 

Finally, given a closed CCTL V formula $, we define its CTL translation [$] as [$Jf . 

Intuitively, the above translation of until modalities with valuation v and environment 
e works by distinguishing interesting states, in which the value of at least one variable in 
dom^if) changes, from uninteresting ones. The CCTL V formula E.(p\Jip then holds if, and 
only if, after a finite sequence of uninteresting states satisfying <p, either ip holds or the 
run has reached an interesting state satisfying ip, after which E(p\Jtp holds with a suitably 
updated valuation. 

Formula in Eq. (|6.8|) expresses the fact that the current state is uninteresting, and 
Tl(Eip\Jip, dom(vK), v) that the current state is interesting, in other words satisfies at least 
one of the formulas e{z) for z a variable with value at most K in v, and satisfies EXJE^U^le. 
For such a state it is necessary to know exactly which formulas e(z) are satisfied and this is 
done by scanning the set dom(u^), updating the valuation v' for each z in turn whenever 
e(z) is attested to hold (Eq. (|6.9p ). If no e(z) holds in the current state, which is witnessed 



V (Mz)fs%] A r^E^UV, Z \ {z},v'[z <- v(z) + 1])) (6.9) 
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by the fact that v = v' , the state is in fact uninteresting and the whole scanning fails, 
otherwise the unfolding process continues (Eq. (|6.10p ). 

Note how v and e are restricted to relevant variables at every recursive call to the above 

V { \ 

translation procedure (for instance in [e(^)]e e (»p- This precaution is used to avoid cycles in 
the update of variables. It is necessary, since simply translating e(z) with an environment 
and valuation containing z itself may generate an infinite formula. It is also sufficient, since 
by definition of consistent closures, z ^ RV{e{z),e). 

Formulas [Ai/jU^Jg and T £ (Aip\Jip, Z,v') are defined similarly by replacing each occur- 
rence of E with A in the above formulas. 

Lemma 6.10. The above inductive definition for [<&] is well-founded, in other words [[<&]] 
is a finite CTL formula. The D AG-size of [$] is in 

Proof. In Equations (j6.6|) and (j6.7|) . all inductive uses of the translation function are per- 
formed over strictly shorter formulas. Even though this is not the case in Eq. (|6.10|) . no 
recursive call is made unless the valuation v' used in Eq. (|6.10|) is different from (hence 
necessarily strictly greater than) v. Since variables assigned a value greater than K do 
not belong to dom(-Uft-), this set will eventually become empty, meaning that no state is 
considered interesting after some point. Hence no infinite inductive "call" to [E^U^]" is 
possible. Finally, the definition of Tg(ip, Z,v') only refers to formulas F%(tp, Z', v') with Z' 
strictly included in Z. 

The maximal number of distinct valuations v we need to consider is bounded by (K-\-3) n 
(since each of the n variables can assume a value between and K + 1 or be undefined). 
Since each Tg(ip, Z,v') is indexed by two valuations v and v', one sub-formula <p (of which 
there are at most |<3?|) and a set of variables Z (at most 2 n possibilities), the total number 
of distinct such formulas to consider is less than {{K + 3) n ) 2 • • 2 n . Overall, since 
K £ 0(2'*') due to the binary encoding and n € 0(<&), this yields a worst-case DAG-size 
for m in 0(|$| • (2l*l + 3) 2 I*I • 2l*l) C 2°d*l 2 ). □ 

We have the following correctness lemma: 

Lemma 6.11. Let ($,e) be a consistent CCTV closure, K the maximal constant in $ and 
e. For every Kripke structure S, state q of S and (K + l)-bounded valuation v we have: 

(q,v,e) Hs^?h MZ- 

Proof. The proof of the direct implication is done by structural induction over We only 
detail the cases of variable definition and temporal modalities. 

• = z[(p].Tp: Assume (q,v,e) (= z[(p].ip. This is semantically equivalent to (q,v[z <(— 
0],e[z <- (f\) \=i>. By induction hypothesis q \= hence q \= l$\ v £ %. 

• $ = E^U^: Assume (q,v,s) \= Eiplitp. There exists a run p = go<Zl<Z2 • • • with 
qo = q and an index i > such that (qi,v + £ p|j_i,e) \= ip and for all < j < i, 
(qj,v + £ p\j-\,e) \= (p. For every < j < i, let Vj be the valuation v$ + £s p\j-i, 
and Zj be the set of variables z such that Vj(z) < K and Vj+i(z) = Vj(z) + 1, i.e. 
the set of relevant variables whose value is incremented in state qj. 

Let ji r . . , jn be the positions in {0, . . . , i — 1} along p where Zj h is non-empty. We 
reason by induction over I. If i = 0, then clearly q (= E ([[</?]] e£ A 6gf )U|[ , 0]]e^, and 
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thus q \= Now assume i > 0, we have: Zj = for < j < j\, Zj 1 ^ 0, and: 

z&Zj-^ •z£dom(e$)\Z :)1 

v v y s > 

*1 <E>2 

Moreover we have (^+1, Vj 1+ \,e) \= Etpliip. By induction hypothesis over £ we have 

q n+1 \= [E^U^^ +1 and thus: q \= E(M% A A <I> 2 A EXIE^UVflS' 1 ^). 

Therefore we have q \= [^J^. 
• $ = A^UV': in this case, every run from q has to verify <p\Jijj. We can reuse the same 
approach as before. In the general case, every run starts with a prefix along which 
every state qj is such that Zj is empty, followed by some state qj 1 where Zj 1 ^ 0, 

which satisfies AX[A^U^]^ 1+l) * • 
The converse is also done by structural induction on <1>. The case where <3? = z[(p].ijj follows 
the same reasoning as above, only backwards. When <3? = E(p\Jip, we reason by induction on 
the following (well-founded) ordering of valuations. We write v' < v whenever &om.(v' K ) C 
dom(w^) and Vx G dom(v' K ) , v' (x) > v(x), meaning that v' assigns greater values than v to 
all variables to which v' assigns a value less than or equal to K, and v'<v if additionally v' 7^ 
v. Assume q \= [^flg, and consider the iterative unfolding of the definitions of subformula 
r in [3>]g. For this formula to hold, there must exist a satisfied formula \E', obtained by 
replacing each disjunction by one of its operands, resulting in a "witness" for the satisfaction 
of [^Jg. ^ is of one of the forms: 

* = e(M£ a &tMmz A A M*)PM A A -Te(*)]SS3 A EX W") (6.u) 

zeZ zedom(v K )\Z 

for some non-empty Z C dom(v^), and with v'(z) = v(z) + 1 if z G Z and < and 
= v (z) otherwise, or 

* = E(l^Ae«)UM^. (6.12) 
In the former case (Eqn. (|6.1ip ). there must exist a run /) = qoqi . . . and some k > 
such that % ^5 [[e(z)]]e^ { ( ^ for all i < k and z G dom(^), g i |= 5 [^J^ for all i < k, 

q k H Uz)feZ\ for all z£Z,q k ^ s [e(2)]£g for all z G dom(^)\Z, and q k+l Mt ■ 
Since Z ^ 0, we have t>' < i>, hence by our induction hypotheses over the structure 
of <3> and the ordering of valuations, we obtain that (qi,v,e) \/=s e(z) for all i < k and 
z G dom^), (qi,v,e) \= s p for all i < k, (q k ,v,e) \= s e{z) for all z G Z, (q k ,v,e) ^5 
for all z G dom(-Uft:) \ Z, and (%+!, i/, e) \=s 

Since the truth value of any subformula is independent of the variables which are 
irrelevant for that subformula or whose value is already greater than K at the beginning of 
the run, and given the truth values of formulas e{z) along p, this implies that (q k +i,v + £ 
p\k-> £ ) \=s E<£>U^ and Vi < k, (g^, v+ £ p\i-i, e) |=s tp, hence (qo,v,e) ^5 and this remains 
true for any valuation v" and environment e" such that v $ = v and e^, = e. 

The latter case (Eqn. (|6.12p ) is easier and is solved similarly. As previously, the A 
quantifier is also treated in the same fashion. □ 

Example 6.12. For the CCTL V formula $ = z[P}.z'[z > 0].EF(z' > A P'), we obtain 
(after simplification) the following translation: 

def 



m = E (-.P) U(P A EX(EX EFP' 
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xi x 2 

/ \ / \ 
— > 9l 92 93 

\ / \ / 

Xl X 2 

Figure 2. Kripke structure associated to a QBF instance over {xi, . . . , X2 P }. 

The two nested EX modalities are necessary because one must distinguish the first state r 
where P holds true from its successor r', which is the first to satisfy z > 0, and from the 
successor r" of r' which is the first state satisfying z' > 0. 



X2p-1 X2p 
92p-l 92p Q2p+l 

£2p-l %2p 



6.1.2. Model checking. 

Theorem 6.13. Model checking closed CCTL V formulas is PSPACE- complete. 

Proof. • PSPACE-hardness can be proved by a reduction from the quantified Boolean for- 
mula problem (QBF0 Consider a QBF instance I = 3xiVx2 ■ ■ ■ 3x2 P -i Vx2 P • $ where <3? is 
a propositional formula in 3-conjunctive normal form (3-CNF) Aj=i...m(^i V i 2 V l s ) over 
{xi, . . . , X2 P }- Now consider the KS S% = {Q, R, () in Figure [2J We assume that every state 
qi is labeled with its name, and every state Xj (resp. x~j) is labeled by the atomic proposition 
Cj iff Xj (resp. ->Xj) is one of the literals in {^1,^2,^3}. Then X is positive iff q\ satisfies the 
following formula: 

z 1 [c 1 }■■■z m [c m }■EF^q 2 ^^F(q z ^EF...{q 2p ^^F{q 2p+1 ^ f\ fo>i))))J 

V i=l. ..m ' 

• PSPACE-membership is obtained by considering a non-deterministic algorithm work- 
ing in polynomial space to decide whether a closed CCTL V formula holds for a state q 
within a KS S. This provides an NSPACE procedure which, by Savitch's theorem, implies 
the existence of a PSPACE algorithm. 

We assume that <3? contains n variables z±, z 2 , ■ ■ ■ z n . Let us call configuration any triple 
(q,v,e) where q is a state, v a valuation and e an environment. First note that valuations 
can be encoded in space polynomial in |<E>| since it is sufficient to store the value for each 
variable z as a K + 1-bounded counter, where K is the maximal constant occurring in <£, 
which requires at most |3>| bits per variable. Hence configurations can be encoded in space 
polynomial in |$| and linear in \S\. 

For any consistent closure (^,e) with ^ £ cl(<3?), we define an NSPACE procedure 
Check(q, v, e, to decide whether ^ holds over (q, v, e). We consider several cases according 
to the structure of \£, of which we omit the simplest. 

• ^ = Zi[ipi].tfi : the returned value is Check(q, v[zi <— 0],e[zj 4— ipi],(pi). 

• = J2i=i a i' z i ~ c '■ the returned value is the boolean evaluation of the constraint 
El=i ati-v(zi)~ c. 

• VP = E(pi\Jip 2 : if Check(q,v,E,tp 2 ) is evaluated to T, then the returned value is T. 
Else if Check(q,v,E,tpi) is _L, then the result is _L Otherwise we proceed as follows: 

(1) for every Z{ € RV(^,e), call Check(q, v E f z .), e e ( Zj ), £{zi)) and assign 1 to an 
integer variable 8{ if the result is T, and otherwise; 



This is a simplification of the reduction used for TCTL C over KS |LST03| . 
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(2) guess a transition q — > q' in 5; 

(3) replace the current configuration (q,v,e) by (q',v',e) with v'(zi) = mm(K + 
l,v(zi) + Si) for all Zi E RV(^,e), and check whether if2 holds for it, and so 
on. 

• ^ = EG<^9: since there are finitely many K + 1-bounded configurations, if there is a 
run for ^ starting in q then there must also exist one whose corresponding sequence 
of bounded configurations is ultimately periodic, i.e. consists of a finite sequence of 
configurations followed by an infinite repetition of a finite configuration cycle (up 
to valuation equivalence). The procedure Check(q,v,e,^) can thus consist of the 
following steps: 

(1) start guessing a sequence of transitions as in the previous case, updating the 
current state and valuation accordingly; 

(2) in each new configuration (q,v,e), verify that Check(q,v,e,(p) is top; 

(3) at some point, non-deterministically assume the current (bounded) configura- 
tion to occur infinitely often in some ultimately periodic run satisfying ty, and 
store the corresponding state q r and valuation v r ; 

(4) resume guessing transitions, checking at each step that Check(q,v,e,ip) is T; 

(5) return T if the previously stored recurring configuration is ever encountered 
again. 

Deciding q \= <I> is then achieved by calling Check(q, vq, e, <£). 

The space used by Check(q, vq, e, $) is evaluated as follows: for EtpiUip2 or EGy>i, we 
need to store at most three configurations (q,v,e) and k boolean values. We also need 
space for the recursive calls over subformulas. The maximal number of such nested calls is 
bounded^ by th(<I>) -\~Ya=i th(e(zi)): indeed the first term comes from the recursive calls for 
Check(q,v,ipi) and the second from the calls Check(q, v, s(z{)). Thus the maximal number 
of nested calls is bounded by |$|. □ 

Remark 6.14. As soon as subtractions are allowed in CCTL V , model checking becomes 
undecidable as a simple consequence of Thm. 14.121 and Rem. 16.21 



6.1.3. Satisfiability. As in the case of CCTL, the translation of CCTL V formulas into CTL 
provides an optimal decision procedure for satisfiability: 

Theorem 6.15. The satisfiability problem for CCTC is 2-EXPTIME- complete. 

Proof. A closed CCTL V formula $ is satisfiable {i.e. it holds for a state q in a finite KS S) 
iff the CTL formula [$] is satisfiable. The (DAG) size of [$] is in 2°(l*l 2 ), which yields a 
2EXPTIME procedure to decide satisfiability of Hardness is a consequence of Thm. 15.21 
and Rem. [OJ □ 



where th(ip) is the temporal height of ip defined as usual except for the reset operator for which we have: 
th(z[ip].<p) = th(ip). 
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6.2. Cumulative semantics for CCTL. We now define a variant of CCTL based on an 
alternative semantics for E_U_ and A_U_ modalities. In this semantics, nesting two temporal 
modalities no longer resets the counting process for the evaluation of the innermost modality: 
its constraints are then interpreted over the whole run. In order to relax this semantics, we 
add the modality N (for 'now', or rather 'from now on') which specifies that the counters 
have to be reset in the current state and start counting again from the current position. 
Let us fix the syntax of CCTL : 

Definition 6.16. Given a set of atomic propositions AP, we define: 

CCTL C B tp,ip ::= P \ ip A ip \ ^p \ Np Eip\J° [C] tp \ Aip\J c [c ^ip 

with P € AP. As in the case of CCTL, we use shorthands Fj^y and G^p to denote TU^y? 
and -iFj^-iy? respectively. 

CCTL formulas are interpreted over pairs (ir, q) where q is a state of some Kripke 
structure S and ir is a history (i.e. a finite prefix) such that ir ■ q £ Prefs(5). The following 
clauses^ define when a CCTL formula <3? holds for (n,q): 

0,<?) hs E^U c q^ iff 3p € Runs(g), 3i > 0, (tt ■ p(i)) \= s ip, n ■ \=s C, 

and V0 < j < i, (tt • p\j-i,p(j)) \=s V 

(tt, q) hs A^UpjV iff Vp G Runs(g), 34 > 0, (vr • p\i- X ,p{i)) \=s 4>, t • p^_ x ^ s C, 

and V0 < j < i, (vr • p\j-i,p{j)) \=s V 

(ir,q) \= s Nip iff (e,q) \= s p 

The addition of the N modality allows us to easily express CCTL properties. Indeed 
each CCTL formula <3? can be easily translated into a CCTL formula \£ by guarding each 
of its temporal modalities with N. Both formulas are equivalent, in the sense that for any 
state q and history tt, we have q \= $ <^=^ (jr,Q) \= We also have the following useful 
property: 

(7T,q)\=E±U c [c] T ^ tt\=C (6.13) 

For simplicity, in the following we will thus allow ourselves to directly write constraints in 
the formula and not only as subscripts of temporal modalities. 

Example 6.17. The CCTL formula EF| T < fel] (P! A EF| T < fc2] P 2 ) with fa < k 2 holds for 
a state q if and only if there exists a run with less than hi transitions leading to some 
state satisfying P 2 and along this run there is a state satisfying Pi located at less than k\ 
transitions from q. 

Example 6.18. The CCTL formula EF^^^EF ^.^!^ is semantically equivalent to the 
CCTL A i formula EF ' [ kl < iip < k2 ]ip • 

Proposition 6.19. Model checking CCTL C is PSPACE-hard. 

Proof. We reduce the QBF problem to a model-checking problem for CCTL by using exactly 
the same reduction as for CCTL V (Thm. It>. 13j) : given an instance X of QBF, we consider 
the same KS S% and the following formula: 

ef(( Z2 aaf( (? 3aef...af(( ?2p+1 a f\ m>i)))\ 

\ i=l. ..m ' 



9 As previously, we only give the formal semantics of the main modalities. Boolean connectives are 
interpreted in a natural way. 
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Recall that we can use constraints directly inside the formula due to the equivalence (|6.13p 
above. □ 

Note that we do not use N to prove PSPACE-hardness. To prove membership in 
PSPACE, we show that one can translate any CCTL C formula <p into an equivalent (and 
succinct) CCTL V formula Tp. First given tp G CCTL°, we use Sjj, to denote the set of 
subformulas tp of tp such that §ip occurs in a counting constraint inside <p. We now define 
as follows: 



P = P tp A tp = tp A tp ""^ = -up 

Up = z^lipi]. ... z^ k [tp k ].Tp with Sjj, = {ipi, . . . , ipk} 



E<pU c [C] tp = Etp\J(CAip) hpU[c\^ = A^U(C7AV) 



Given a set of formulas S, a prefix tt, a valuation v for a set of variables V and an environ- 
ment e, we say that (v, e) is compatible with (S, tt) (written (v, e) > (5, ir) ) if and only if 
for any ip G 5, there is some z$ G dom(v) such that e(z^) = tp and v(z^) = \tt\^. 
We have the following property: 

Lemma 6.20. Let & be a CCTL C formula, q a state in some KS S, and tt G Prefs(5) be 
a finite run such that tt ■ q G Prefs(iS). Let v : V — > N U {_L} be a valuation for a set of 
variables V and let e be an environment such that (v,e) is compatible with (S^,tt). Then: 

(iT,q) hs $ <<=>• (q,v,e) hs $ 

Proof. The proof is done by structural induction over <£. The result is direct for atomic 
propositions and boolean connectives. 

Let = EipWrqiip, and assume (tt, q) (= $. Then there exist p G Runs((7) and i > 
such that (a) (tt ■ pu_i,p(i)) \= tp, (b) tt ■ pu_i |= C and (c) for all < j < i we have: 
(n ■ P\j-i,p(j)) \= p. Consider a valuation v and an environment e such that (v,e) is 
compatible with (S$,7r). Let Vk be the valuation (v + £ p\k-i) for k G {0,1, ... ,i} (where 
v = v). Clearly (v k ,e) > (S|,7r • /0| fc _i), and since S^, C S|, and S*, C S|, («fc,e) is 
compatible with (S^,7r • p\k-i) and (Sjj,,7r • p\ k -i)- By induction hypothesis, we can deduce 
from (a) and (c) that (a') (p(i),Vi,e) \= tp, and (c') (p(j),Vj,e) \= Tp for any j = 0, . . . , i — 1. 
Moreover from (b) we can deduce: (b') Vi \= C. Thus (q, v,e) \= Ep\J(C A tp). 

Conversely, assume (q, v,e) \= ETpli(C A tp). Then there exists p G Runs(g) and i > 
such that (a) (q,v + e p^_i,e) \= tp, (b) v + £ pu_i |= C and (c) for all < j < i we have: 

(q,v + £ p\j_\,e) \= Tp. Now consider a prefix tt such that 7r-g G Prefs(<S) and (u,e) > (S$,7r). 
By induction hypothesis, we have: (tt ■ pu_i,p(i)) \= tp and (tt ■ p\j-i,p(j)) \= <p for any 
j = 0, 1. Hence (vr, qr) |= EpUj^. 

The case $ = At/jU^V is treated similarly. 

Let now $ = Np, and assume SjL = {^i, . . . ,ipk}- Let e be an environment such that 
S|, C dom(e). Then for any valuation vo that assigns to every tpi, 

(TT,q)\=b\p <=^ (e,q)\=p <=^ (q,v ,e) \=Tp. 
This is equivalent to (q,v,e) \= z^ltpi]. . . . z^ k \tpk]Jp for any valuation v such that (v,e) > 
(Sin). ' □ 
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In fact, CCTL° can be seen as a variant of CCTL V where only a global reset operator is 
available, whose effect corresponds to the N modality in CCTL C . A direct consequence is: 

Proposition 6.21. The model checking problem for CCTL C A is in PSPACE. 

This implies the following corollary: 

Corollary 6.22. The model checking problem for all CCTL C variants up to CCTL C A is 
PSPACE-complete. 

Again, as soon as diagonal constraints are allowed model checking becomes undecidable: 
Theorem 6.23. Model checking CCTL^ is undecidable. 

Proof. The proof is based on the same technique as that of Theorem 14,121 Consider a two- 
counter machine M. with counters C and D and n instructions. We define a Kripke structure 
Sm = (Q, R,£) where Q = {q±, . . . , g n }U{rj, Sj | instj = (if .■■}}. The transition relation 
is defined as follows: 

• if instj = (X++,j), then (qi,qj) € R ; and 

• if instj = (ifX=0 then j else X — , k), then (qi,n), (ri,q k ), (si,qj) in R. 
The labeling I is defined over the set {halt} U Uxe{c,D}{^ + ,^ 1 ^ } as = {X + } 
if instj is an increment of X, i(r.{) = {X~} and £(si) = {X } if instj is a conditional 
decrement of X and £(qi) = {halt} if instj is the halting instruction. One can show that 
there exists a divergent run iff q\ satisfies the formula §m defined as follows: 

EG [-halt A f\ ((x° («X+ = A (X- («X+ > JtX-)))" 

xe{c,D} 

Note that we do not use N to prove undecidability. □ 

Using the same techniques as previously, we obtain the following results for satisfiability: 

Theorem 6.24. The satisfiability problem for all variants of CCTL C from CCTLl up to 
CCTL C A is 2EXP TIME- complete, and becomes undecidable for CCTL^. 



7. Conclusion 

In several cases (particularly CCTL V and thus also CCTL A and CCTL^), the logics we 
introduce are not more expressive than CTL but can concisely express properties which 
would be difficult to write in that logic. In particular, even the fragment CCTLi, as well 
as CCTL A with unary-encoded coefficients, can yield exponentially more succinct formulas 
than CTL. 

In terms of algorithmic complexity, even though CCTL±i is strictly more expressive 
than CTL, its model-checking remains polynomial. The introduction of either coefficients or 
Boolean combinations increases the complexity to A£, while the interplay between Boolean 
connectives and possibly negative coefficients yields undecidability. Similarly, satisfiabil- 
ity is 2-EXPTIME-complete for all classes without negative coefficients (when it is simply 
EXPTIME-complete for CTL [EH85] ). and undecidable for all above classes. All complexity 
results are summarized in Figure El 

Further work on CCTL will include completing the study of succinctness of its fragments 
with respect to each other and to other logics, looking for an upper complexity bound for 
the model-checking of CCTL±, as well as investigating new kinds of constraints. We also 
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wish to pursue the work described in this article and in [LMP10b j by investigating counting 
extensions of other temporal logics (for instance with past operators) as well as //-calculus. 
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Figure 3. Summary of model-checking and satisfiability complexity results. 
Arrows indicate syntactic inclusion or straight-forward linear translations 
(case of CCTL V ). 
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